Securing Bermuda

By By Robin Trimingham2000-05-01T00:00:00+01:00

Not a day goes by without word of some new virus or computer hacker flashing through the corporate mailbox. Yet, with each passing day, there is more and more pressure for traditional industries to engage in business in the e-realm, or expand their operations even further into cyber space.

Increasingly, at the core of question in every executive's mind is the issue of trust:

How will a company know, beyond a doubt, with whom they are contracting business? How will secure, reliable transfers of funds be maintained in an impenetrable environment?

How will categories of exposure be determined so that insurance can be offered for different e-business risk profiles?

What is the risk – benefit ratio between delaying the launch of an e-operation until all of these issues are resolved, or proactively acquiring a substantial market share of the unclaimed e-business territory?

What steps are being taken by various jurisdictions to provide a secure legislative environment for e-commerce transactions?

One piece to solving this security puzzle lies in the establishment of the standards for the acceptance of digital signatures. While the vast majority of international jurisdictions have yet to adopt any legislation with respect to the creation and legality of digital signatures,1 the Bermuda government has proactively set forth legislation within the Electronic Transactions Act 1999 which legitimises the use of digital and electronic signatures for all types of communications. Electronic signatures are increasingly used to sign purchase orders in internet transactions. They are likely to figure prominently in any electronic insurance applications that are developed in the near future.

By definition, under the terms of the act, an electronic signature is “a signature in electronic form in, attached to, or logically associated with, information that is used by a signatory to indicate his adoption of the content of that information and meets the following requirements : it is uniquely linked to the signatory; it is capable of identifying the signatory; it is created using means that the signatory can maintain under his sole control and it is linked to the information to which it relates in such a manner that any subsequent alteration of the information is revealed.”

In principle, this form of electronic signature can be an electronic mark or symbol made or adopted by the person with the intent to sign a file, or it can be an alphanumeric number attached to a document that is unique to both the document itself, and the person signing the document. In Bermuda, it is possible to obtain permission to issue digital certificates and act as a certification authority by filing a straightforward application with the Ministry of Telecommunications and E-Commerce. Applicants who pass the due diligence qualifications are then approved. An electronic signature associated with an accredited certificate is deemed to meet any statutory requirement for the signature of a person except for the creation, execution or revocation of a will or the conveyance of real property.

Encryption

The Bermuda act also provides a framework for the import and export of encryption programmes and encryption products at the discretion of the minister and affirms that “it is lawful in Bermuda for a person to use any encryption program or other encryption product of any bit size or other measure of the strength of the encryption provided that it has lawfully come into the possession of that person.” This simple measure will continue to allow new digital signature technology and security measures that meet the qualifications of the definition of electronic signatures to be legally adopted in Bermuda in a timely manner.

Digital signatures are created by software programmes that are built into applications such as Microsoft's Outlook 2000. The typical signature is over 150 characters in length and would resemble the following example: “sdj+kfhEV=R897e4o2jdf4mo90S1F”. These encrypted alphanumeric sequences can be attached to any document that is stored in a computer including letters, contracts, blueprints, drawings and photographs.

There are two ways in which a company can establish a Bermuda presence through which it could seek to obtain permission to issue digital certificates in Bermuda; one is through traditional incorporation, the other is through the establishment of a virtual entity known as an “eSuiteä”, within a segregated account company structure created under a private act of the Bermuda Parliament, the EBS Ltd. Act. (For more information on segregated account companies, see the article by Alison Dyer in this edition.)

The Electronic Transactions Act also addresses the data protection concerns associated with e-commerce by empowering the Minister of Telecommunications and E-Commerce to make regulations with respect to the protection of personal data. Moreover, the EBS Ltd. Act, contains specific provisions relating to data protection principles and the appointment and duties of a data protection officer based upon the European Union model. The aim of such provisions is to create a “safe harbour” regime in Bermuda in keeping with the EU guidelines for the transfer of personal data outside the EU.5

Robin Trimingham is director of marketing for OeBusiness.com.

1 Hong Kong passed the Electronic Transaction Ordinance on 7 January 2000 recognising digital signatures. The United States is enacting legislation on a state by state basis.